|
Subjunctive posted:Browser extensions have privileges roughly equivalent to an application they install. You can definitely get hosed that way. Thank you. So it really needs to be considered and not ignored. We took away local admin rights, we should probably take away extension free for alls. Tier 1 support got a ticket last week that a user was getting random popups when browsing. It was a bad extension. Can a browser extension steal a password? stevewm posted:We use Chrome.... UBlock is installed by default, and another extension we use for Gmail attachments is whitelisted so it can be installed if needed. Outside of that users cannot install additional extensions. We also only allow sign-in to Chrome with our own domain and password syncing is disabled. We also push some managed bookmarks down. This is all done via GPO. How is your team planning to address Google stopping uBlock? I heard they're introducing changes that render them (adblockers) ineffective. Bald Stalin fucked around with this message at 17:35 on Jul 22, 2019 |
#
?
Jul 22, 2019 17:30
|
|
|
|
| # ? Apr 29, 2024 07:44 |
|
|
Ranter posted:
Supposedly the Enterprise version of the browser is not supposed to be affected by this. Regardless we'll cross that bridge when it comes. There has been a bit of back and forth on the issue.
|
|
#
?
Jul 22, 2019 18:12
|
|
|
22 Eargesplitten posted:The_devil_you_know.txt It was the only browser at the time that supported GPO management (other than IE), so that is what we went with. 85% of our machines are shared access, so they are pretty locked down, and things that could potentially save someone's personal information is disabled (like Chrome sign-on)
|
|
#
?
Jul 22, 2019 18:18
|
|
|
What password managers are good these days? Looking for Business/team-based features and cloud-sync, mobile app, and browser integration. Doesn't have to be free, it's for less than 10 users. Just want to get people off using passwords.txt from their desktop.. The big self hosted ones I see are Bitwarden, Passbolt, and LessPass, then services like LastPass etc. I like the idea of self-hosted and not having a 3rd party with possible access to the passwords, but it isn't critical.
|
|
#
?
Jul 22, 2019 23:22
|
|
|
1password is good. I don't have a lot of experience with any of the others that you have listed.
|
|
#
?
Jul 22, 2019 23:37
|
|
|
Lastpass is way better at actually filling things than 1pw, because you can manually edit (and delete) the form fields it fills if need be.
|
|
#
?
Jul 22, 2019 23:38
|
|
|
Lastpass is bad.
|
|
#
?
Jul 22, 2019 23:55
|
|
|
The Fool posted:Lastpass is bad. I'm using both. It's simply better at the core functionality a password manager is supposed to provide.
|
|
#
?
Jul 22, 2019 23:57
|
|
|
No, LastPass is indeed very bad. They've had a number of security flaws and reacted badly to all of them. Most notably https://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/. 1password is the best if you don't mind using proprietary software. Otherwise, your options are basically KeePass or password-store, and while they're both very good, they aren't exactly ergonomic for the average user. It would be really nice if password-store had features built on top of it that made it more accessible and enabled syncing and stuff. It's just a git repo after all. xtal fucked around with this message at 00:10 on Jul 23, 2019 |
|
#
?
Jul 23, 2019 00:07
|
|
|
Lastpass had security flaws, but dealt with them responsibly? Clearly a mark against the company.
|
|
#
?
Jul 23, 2019 00:09
|
|
|
Lambert posted:I'm using both. It's simply better at the core functionality a password manager is supposed to provide. Lastpass has had multiple security issues and has a bad track record of handling them. To the point where I would no longer trust them to act in good faith in the future.
|
|
#
?
Jul 23, 2019 00:10
|
|
|
The Fool posted:Lastpass has had multiple security issues and has a bad track record of handling them. To the point where I would no longer trust them to act in good faith in the future. I can understand this reasoning. I'm hoping 1password catches up, they seem to at least have editable form fields planned as a future feature.
|
|
#
?
Jul 23, 2019 00:12
|
|
|
Lambert posted:Lastpass had security flaws, but dealt with them responsibly? Clearly a mark against the company. Last Pass does not react well to security disclosures and has tried to dismiss some as non-issues. Also, some of the flaws discovered are typically a result of bad coding practices or lack of QA or both. I don't care if you use Last Pass, that's a risk you've assumed yourself. But I, and others in this thread, will speak up if you recommend it for others to use.
|
|
#
?
Jul 23, 2019 00:13
|
|
|
Proteus Jones posted:Last Pass does not react well to security disclosures and has tried to dismiss some as non-issues. Also, some of the flaws discovered are typically a result of bad coding practices or lack of QA or both. I didn't recommend anything, but thanks for reposting the goon talking points. But, among the two, I would recommend 1pw more.
|
|
#
?
Jul 23, 2019 00:15
|
|
|
So for full LastPass discussion, the majority of the LastPass issues were in their browser plugin. If you want to make do without that, it isn't completely awful.
|
|
#
?
Jul 23, 2019 00:44
|
|
|
Secret Server is really deep (if you pay for the fancier features) and has a cloud option now too but hosting it yourself requires windows/IIS. Its website password autofiller thing lets you pick the form fields but it's definitely kind of old and brittle compared to lastpass and such
sadus fucked around with this message at 00:52 on Jul 23, 2019 |
|
#
?
Jul 23, 2019 00:50
|
|
|
sadus posted:Secret Server is really deep (if you pay for the fancier features) and has a cloud option now too but hosting it yourself requires windows/IIS. Its website password autofiller thing lets you pick the form fields but it's definitely kind of old and brittle compared to lastpass and such Do they support TPMs for key escrow on the data blob yet because holy poo poo after running their Password Reset Server stuff I do not trust Thycotic to properly handle key material
|
|
#
?
Jul 23, 2019 00:54
|
|
|
BangersInMyKnickers posted:Do they support TPMs for key escrow on the data blob yet because holy poo poo after running their Password Reset Server stuff I do not trust Thycotic to properly handle key material Ha I don't think Password Reset Server had been updated in yearrrrs, Secret Server gets updated a lot though. SS supports HSMs now but that poo poo is expensive. Master encryption key can be dpapi protected on disk, but definitely lots of keys and passwords flying around in memory unprotected if someone owns the server itself
|
|
#
?
Jul 23, 2019 01:26
|
|
|
BangersInMyKnickers posted:Do they support TPMs for key escrow on the data blob yet because holy poo poo after running their Password Reset Server stuff I do not trust Thycotic to properly handle key material They don't, and no they still don't deserve your business I'm locked in for weird reasons and the second I'm not, it's centrify and aad all the motherfucking way from top to bottom sadus posted:Ha I don't think Password Reset Server had been updated in yearrrrs, Secret Server gets updated a lot though. SS supports HSMs now but that poo poo is expensive. Master encryption key can be dpapi protected on disk, but definitely lots of keys and passwords flying around in memory unprotected if someone owns the server itself Password reset server functionality is kinda coming into SS. Yes hsms are supported at hilarious cost. Like sadus I would not qualify their trust stack as resilient Hell, if a coming demo of azure's  hsm goes well...
Potato Salad fucked around with this message at 01:40 on Jul 23, 2019 |
|
#
?
Jul 23, 2019 01:35
|
|
|
AWS has a real deal CNG-compatible CloudHsm too now with a 10k/yr price tag (plus they suggest two for HA). Azure KeyVault and AWS IAM encryption keys are wayyyyy cheaper though like a few bucks a month. We tried a trial of SS Cloud and it can tie into AWS IAM keys but meh, cloud. Azure alone has had so much downtown lately it's crazy. All I know is some random Mr Robot episode had an "exfiltrate the HSM keys" scene which made me happy, no one I know outside or work has ever even heard of one hah.  sadus fucked around with this message at 02:21 on Jul 23, 2019 |
|
#
?
Jul 23, 2019 02:18
|
|
|
sadus posted:All I know is some random Mr Robot episode had an "exfiltrate the HSM keys" scene which made me happy, no one I know outside or work has ever even heard of one hah. Sodium pentathol and a sack of cash?
|
|
#
?
Jul 23, 2019 03:53
|
|
|
I need to persuade my husband that LastPass is more secure than 1Password. Anybody got cites?
|
|
#
?
Jul 23, 2019 15:59
|
|
|
Arsenic Lupin posted:I need to persuade my husband that LastPass is more secure than 1Password. Anybody got cites? Oh my, here we go again. Buckle up.
|
|
#
?
Jul 23, 2019 16:08
|
|
|
Arsenic Lupin posted:I need to persuade my husband that LastPass is more secure than 1Password. Anybody got cites? https://bugs.chromium.org/p/project-zero/issues/detail?id=1209 https://bugs.chromium.org/p/project-zero/issues/detail?id=1217 https://bugs.chromium.org/p/project-zero/issues/detail?id=1225 Take a special look at the first two, where LastPass was hit with a critical vulnerability, rolled out a duct-taped fix, said everything was good - and the same exploit with a tiny bit of extra special-case bypass popped right back up again. Tavis wrote the following in his next bug report for that reason: quote:NOTE: Please ***do not*** release a patch until you're confident all cases have been fixed. Releasing a patch that just fixes the single case that I've made a demo for will make it very easy to identify the vulnerability and for someone to simply exploit any of the hundreds of others of cases where you've made this mistake. Please communicate with me on your plan to release fixes so that we can make sure the process goes smoothly. The bugs are a couple of years old at this point, but general consensus on LastPass is that they're much more focused on "look at our good security!" PR than on actual security.
|
|
#
?
Jul 23, 2019 16:10
|
|
|
My brain instinctively switched the placement of lastpass and 1password in that post. It did not comprehend the original structure until I saw Sickening's post
|
|
#
?
Jul 23, 2019 16:11
|
|
|
Arsenic Lupin posted:I need to persuade my husband that LastPass is more secure than 1Password. Anybody got cites? here's a secure solution you both can agree on https://www.amazon.com/Adams-Password-Journal-Inches-APJ99/dp/B006J2HPKQ/ref=sr_1_5?keywords=password+book&qid=1563894791&s=gateway&sr=8-5
|
|
#
?
Jul 23, 2019 16:13
|
|
|
BangersInMyKnickers posted:here's a secure solution you both can agree on Literally a more secure password manager than LastPass
|
|
#
?
Jul 23, 2019 16:26
|
|
Cat Army
|
How's ansible-vault for practical use within ansible/our Linux infrastructure ?
|
|
#
?
Jul 23, 2019 16:28
|
|
|
One day I need to critically review Dashlane since it shows up in half of the YouTube promos I see.
|
|
#
?
Jul 23, 2019 17:13
|
|
|
BangersInMyKnickers posted:here's a secure solution you both can agree on Sticky Note on monitor: You haven't even seen my final form.
|
|
#
?
Jul 23, 2019 18:49
|
|
|
Lain Iwakura posted:One day I need to critically review Dashlane since it shows up in half of the YouTube promos I see.
|
|
#
?
Jul 23, 2019 20:31
|
|
|
Ranter posted:Can a browser extension steal a password? Yes, it can access anything on the page. You used to be able to exfiltrate local files without the user's knowledge as well. Or install things, but that was more noticeable with the default Windows security settings. There's more controls now and I haven't bothered digging into them to see how to get around them.
|
|
#
?
Jul 23, 2019 21:15
|
|
|
confirmed
saphirecalypso fucked around with this message at 23:47 on Jul 24, 2019 |
|
#
?
Jul 23, 2019 22:47
|
|
|
duz posted:Yes, it can access anything on the page. You used to be able to exfiltrate local files without the user's knowledge as well. Or install things, but that was more noticeable with the default Windows security settings. There's more controls now and I haven't bothered digging into them to see how to get around them. Then my organization needs to create an extension whitelist and lock down our browsers. I have lots of work to do! *sigh* Bald Stalin fucked around with this message at 23:16 on Jul 23, 2019 |
|
#
?
Jul 23, 2019 23:14
|
|
|
xtal posted:1password is the best if you don't mind using proprietary software. Otherwise, your options are basically KeePass or password-store, and while they're both very good, they aren't exactly ergonomic for the average user.  Tried to show KeePass to my my 60-something mother after she heard some cybersecurity story on NPR and got concerned, but it quickly hit the classic roadblock of "Wait, you have to copy and then paste?? This is getting complicated, let me write this down." Don't think she's touched it since.I swear my parents knew the fundamentals of computer operation in the early 2000s, but either they lost it along the way or have just grown incapable of transposing the knowledge they do have into a different, but closely parallel context...
|
|
#
?
Jul 25, 2019 01:11
|
|
|
Ranter posted:Then my organization needs to create an extension whitelist and lock down our browsers. I have lots of work to do! *sigh* True in all aspects.
|
|
#
?
Jul 25, 2019 01:19
|
|
|
Someone who understands telco: what do? Rephrased: does shaken/stir actually work Potato Salad fucked around with this message at 02:01 on Jul 25, 2019 |
|
#
?
Jul 25, 2019 01:47
|
|
|
Cugel the Clever posted:
Control V it will autotype both username and password
|
|
#
?
Jul 25, 2019 02:29
|
|
|
sadus posted:Control V it will autotype both username and password But the cursor needs to start in the username field, the password field needs to be the next field in sequence and the application needs to be the most recent with focus. Not something I would rely on for certain users.
|
|
#
?
Jul 25, 2019 02:32
|
|
|
|
| # ? Apr 29, 2024 07:44 |
|
|
The Fool posted:But the cursor needs to start in the username field, the password field needs to be the next field in sequence and the application needs to be the most recent with focus. Yeah, the couple of websites I have to use that just seem custom designed to break password managers is just baffling. Frustratingly, one of them is the bank I use. EDIT: It's not just their website design, if their mobile app on Android detects anything other than manually typed in characters (autofill, paste) it wipes both fields immediately for username and password. -_- gourdcaptain fucked around with this message at 02:46 on Jul 25, 2019 |
|
#
?
Jul 25, 2019 02:44
|
|
